There is a gap in senior management’s engagement and prioritisation of cybersecurity that needs to be addressed. Not only is there a lack of discussion around the risks at board level but there is also ambiguity over who is responsible for cybersecurity in the organisation. Ideally, the senior executives themselves should be accountable. 

“Corporate governance specialists are increasingly concerned that senior management and board directors across the world are ill-prepared for potential data breaches and other technology problems”

Attracta Mooney and Jennifer Thompson, The Financial Times

Key findings


Insights from RSM

Cyber risk management needs to be owned at board level and it is encouraging to see 60% of the management board of businesses agreeing that it should be discussed more often. Certainly, we have seen a clear shift towards this over the last few years, with RSM training and raising education and awareness levels of the threats and solutions of cybercrime to an increasing number of C-suite, executives and non-executive directors.

However, it is still concerning to note that only 38% of board members see the CEO as the person ultimately responsible for cybersecurity within their business. Cybercrime is a senior executive responsibility. It’s important to remember that when a data protection breach or attack takes place, it is the CEO who is liable.

It is still common for senior level management to become involved only after a breach and not before. Indeed, 59% of businesses stated that once they had experienced a breach, cybersecurity became more of a priority for senior management.

All too often senior management don’t see the need for investment in cybersecurity, holding on to the dangerous belief that since they have yet to experience a breach (as far as they are aware) it won’t ever happen.​

Many CEOs are ignoring the problem and only want to invest in cybersecurity when they see that something will happen or can happen. This is a particular problem for small companies with limited budgets where there is no CIO or IT Director in place and the CEO has a limited knowledge of cybercrime.

This will change as the number of breaches and public fines increase, but we are actively encouraging senior executives to understand the risks associated with cybercrime, how it affects the organisations they’re responsible for, and advising where specialist support is required to protect the business against cyberthreats.

Additionally, once senior management make combating cybercrime and protecting their business a greater priority, then many of the key requirements identified by businesses to tackle the threat are more likely to be delivered.